Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add the policy for checking AWS secret and access key in Instance User data. #358

Open
harkirat22 opened this issue Oct 20, 2020 · 6 comments
Open

Add the policy for checking AWS secret and access key in Instance User data. #358

harkirat22 opened this issue Oct 20, 2020 · 6 comments
Labels
enhancement new-policy

Comments

@harkirat22
Copy link
Contributor

Example:
user_data = <<EOF
#! /bin/bash
sudo apt-get update
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMAAAKEY
export AWS_DEFAULT_REGION=us-west-2
EOF

I deliberately ran the above, terrascan did not detected this violation. Later, I checked the rego policies of terrascan and found there is no such policy for checking the above violation.
@harkirat22
Copy link
Contributor Author

@cesar-rodriguez is there any guide on how to contribute to terrascan policies?. I wrote an OPA for the above misconfiguration. However, if there is any guide to contribute, I would love to know.

@cesar-rodriguez
Copy link
Contributor

Hi @harkirat22. We still need to add better documentation on how to contribute policies, but a good place to get started is this comment from @williepaul : #326 (comment)

Here's also a policy only PR that was recently merge you could use as a reference: #350

Feel free to comment here if you get stuck or have any questions. Looking forward to your contribution!

@harkirat22
Copy link
Contributor Author

@cesar-rodriguez. Yup sure, I will have a look at that. I have written OPA policies and ran them on terraform plan converted to JSON format. I will write the same as per terrascan format.

@harkirat22
Copy link
Contributor Author

@cesar-rodriguez @williepaul, I wrote the policy for this issue. Please have a look, afterwards, I will create a pull request
I war trying to create the same format as most of the policies have under aws. Some have rc with base64, which I checked is having a remidiation code, do I have to include it for this policy?

package accurics
EC2withSecrets[retVal] {
pattern := ["[A-Za-z0-9/+=]{40}","(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}","("|')?(AWS|aws|Aws)??(SECRET|secret|Secret)??(ACCESS|access|Access)??(KEY|key|Key)("|')?\s*(:|=>|=)\s*("|')?[A-Za-z0-9/\+=]{40}("|')?"]
some i
instance := input.aws_instance[]
user_data := instance.config.user_data
regex.match(pattern[i],user_data)
retVal := { "Id": instance.id, "ReplaceType": "edit", "CodeType": "block", "Traverse": "", "Attribute": "", "AttributeDataType": "", "Expected": "No AWS Secrets in user data", "Actual": instance.config.user_data }

}

@cesar-rodriguez
Copy link
Contributor

Looks good @harkirat22! No need to include rc for this. Thanks!

@harkirat22 harkirat22 mentioned this issue Oct 26, 2020
Closed
@kanchwala-yusuf
Copy link
Contributor

@harkirat22 , Can we close this issue? Is there any action pending on this one?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement new-policy
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

policy for checking AWS secrets in EC2 instance user data
3 participants
@cesar-rodriguez @harkirat22 @kanchwala-yusuf